Data Processing Agreement
Last updated: 26 April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Muon Works Ltd trading as Ask.School ("Processor", "we", "us") and the school or organisation using the Service ("Controller", "you"). It governs the processing of Personal Data by us on your behalf when you use the Ask.School platform (the "Service").
This DPA reflects Article 28 of the UK GDPR and the EU GDPR. Where it conflicts with the rest of the Terms, this DPA prevails for matters of personal-data processing.
1. Roles and scope
You are the Controller of Personal Data about your students, parents, staff, and other individuals you load into the Service or who use it under your account. We are the Processor of that Personal Data and process it only to provide the Service to you and to fulfil our obligations under the Terms.
Where we determine purposes and means independently — for example, billing the school admin who registered the account, securing our infrastructure, or analysing the public marketing site — we act as a separate Controller under our Privacy Policy.
This DPA takes effect when you accept the Terms or sign an order form, and it ends when the last Personal Data has been deleted or returned in accordance with section 9.
2. Subject matter and details of processing
The detail required by Article 28(3) UK GDPR is set out in Annex I.
| Item | Detail |
|---|---|
| Subject matter | Provision of an AI-powered chatbot platform to schools |
| Duration | The term of the Subscription, plus any export window (see section 9) |
| Nature and purpose | Hosting, retrieval, AI inference, safeguarding monitoring, transactional communications, billing |
| Categories of data subjects | Students, parents/guardians, school staff, school administrators, public visitors using a school's public chatbot |
| Categories of Personal Data | Names, email addresses, year groups, sites/campuses, parent–student links, user-group memberships, chat content, uploaded documents, safeguarding alerts, audit and usage metadata |
| Special-category data | Only where you explicitly load it (e.g. a SEND or pastoral document) and approve it for use; flagged through our document approval workflow |
3. Our obligations
We will:
- process Personal Data only on your documented instructions, including in respect of international transfers, unless required to do so by law (and where we are, we will tell you in advance unless prohibited);
- ensure that personnel with access to Personal Data are bound by confidentiality;
- apply the technical and organisational security measures described in Annex II;
- not engage another sub-processor without prior general or specific written authorisation under section 4;
- assist you in responding to requests from data subjects (Article 12-22 UK GDPR) — primarily by providing the export, deletion, and audit-log tools in the Service;
- assist you with your own obligations under Articles 32-36 UK GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of the processing and the information available to us;
- notify you of a personal-data breach without undue delay and within 72 hours of becoming aware of it, with the information you need to meet your own notification duties;
- on termination, return or delete Personal Data in line with section 9; and
- make available to you the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in section 8.
4. Sub-processors
You give us general written authorisation to engage the sub-processors listed at /subprocessors, and any future sub-processors we add in the same way.
When we plan to add or replace a sub-processor we will:
- update the /subprocessors page at least 30 days before the new sub-processor begins processing Personal Data; and
- email the data-protection contact you have on file.
If you have a reasoned objection to a new sub-processor on data-protection grounds, contact us within 30 days of the notice. We will work with you to find a resolution. If we cannot agree, you may terminate the affected Subscription on written notice without further fees for the unused portion of the term.
We require each sub-processor to be bound by written terms imposing data-protection obligations no less protective than this DPA. We remain liable to you for the acts and omissions of our sub-processors as if they were our own.
5. International transfers
Application servers, the primary database, and our caching layer run in the United Kingdom (London). Uploaded documents and encrypted backups are stored in the European Union (Frankfurt).
Some sub-processors process Personal Data in the United States (notably OpenAI, Stripe US, Google Analytics, and Sentry when enabled). For those transfers we rely on:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK Addendum + EU SCCs), and/or
- the relevant Data Privacy Framework certification where the importer is certified.
The mechanism that applies to each sub-processor is shown on the /subprocessors page. We assist you, at your reasonable request, in completing transfer impact assessments for our sub-processor stack.
6. Security measures
We implement and maintain the technical and organisational security measures set out in Annex II. We may update them from time to time, but not in ways that materially reduce the level of protection.
7. Data subject rights
You are responsible for responding to data subject requests. We will help you do so by:
- providing self-service export and deletion tools in the dashboard;
- on request, helping locate, copy, correct, or delete specific Personal Data we hold for you; and
- redirecting any data subject requests we receive directly to you, where the data is yours, without responding to them ourselves (unless legally required to).
For users who are students, parents, or staff, requests should go to the school first. We will not respond to such requests on your behalf without your authorisation.
8. Audit rights
We will provide reasonable information to demonstrate our compliance with this DPA, including independent audit reports where we have them. You may carry out an audit of our processing of your Personal Data once per year, on at least 30 days' written notice, during business hours, in a way that does not unreasonably interfere with our operations and that does not reveal information about other customers. Audits are at your cost. Where third-party reports (for example, from our hosting providers) cover the matters in question, you will accept those in the first instance.
9. Termination, return, and deletion
On expiry or termination of the Subscription, you have 30 days to export Personal Data through the dashboard or by request. After that we delete Personal Data from production systems. Personal Data may continue to exist in encrypted, time-limited backups for up to 30 days, after which it is purged automatically and irretrievably.
We can return Personal Data earlier on written request. Where we are required by law to retain specific records (e.g. invoicing data for tax), we will retain only the minimum required and protect them under this DPA for as long as we hold them.
10. Liability
Each party's liability under this DPA is subject to the limitation-of-liability provisions in the Terms. Nothing in this DPA limits liability where it cannot be limited by law.
11. Governing law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over disputes, subject to the parties' right to seek urgent relief elsewhere.
Annex I — Details of processing
| Controller | The school or organisation accepting these Terms |
| Processor | Muon Works Ltd trading as Ask.School (England and Wales) |
| Subject matter | AI-powered chatbot platform |
| Duration | The term of the Subscription, plus the export window in section 9 |
| Nature and purpose | Host the platform; serve chatbots; run safeguarding and PII guardrails; sync MIS rosters (if connected); send transactional email; bill the Customer; provide support; secure the Service |
| Data subjects | Students, parents/guardians, school staff, school administrators, public visitors of public chatbots |
| Categories of data | Identifiers (name, email), school identifiers (year group, site, MIS ID), user-group memberships, parent–student links, chat content (encrypted), document uploads, safeguarding alerts, audit and usage logs, billing contact details |
| Special-category data | Only when the Customer chooses to upload it (e.g. SEND or pastoral documents) — gated by the document approval workflow |
| Frequency | Continuous for the duration of the Subscription |
Annex II — Technical and organisational measures
We implement at minimum the following measures:
Encryption. Modern TLS in transit. Encrypted at rest using disk-level encryption on production storage. Sensitive personal-data fields (names, email addresses, chat content, safeguarding alerts) are additionally encrypted at the application layer using authenticated symmetric encryption. Daily database backups are encrypted and stored in a separate region.
Tenant isolation. Every database query is automatically filtered by the calling organisation, so one school cannot read another school's data. Isolation is enforced at the database layer rather than relying solely on application-level checks.
Access control. Customer administrator accounts use email/password with email verification and multi-factor authentication. Single sign-on is supported via Google, Microsoft, and Apple. Internal Ask.School staff access to production is on a need-to-know basis with multi-factor authentication.
Safeguarding and PII guardrails. Chat input and output are scanned for safeguarding concerns, special-category data, and configurable PII categories before responses are stored or returned. High-severity events trigger an alert to the school's designated safeguarding lead.
Document approval. Documents flagged as containing special-category data are blocked from the chatbot's vector store until a school administrator approves them, with audit trail.
Backups and recovery. Encrypted backups run daily, are stored in a separate region (Frankfurt), retained for 30 days, and tested weekly.
Vulnerability management. CI runs pip-audit, bandit, and npm audit on every push to the main branch and weekly on dependency files. Critical issues are remediated promptly.
Logging and monitoring. Application errors and security events are logged. Service-call logs are retained for 30 days; guardrail-violation logs for 6 months.
Sub-processor management. Each sub-processor is bound by a written DPA. Transfer mechanisms are documented per sub-processor.
Personnel. Staff handling Personal Data are bound by confidentiality. We maintain awareness training appropriate to role.
Incident response. We maintain an internal data-breach response procedure with defined escalation, notification, and remediation steps.
Annex III — Sub-processors
The current list of authorised sub-processors and transfer safeguards is published at https://ask.school/subprocessors. It is updated when sub-processors change, with at least 30 days' notice as set out in section 4.
Contact
- Data protection — [email protected]
- Support — [email protected]
- Legal entity — Muon Works Ltd, registered in England and Wales (registered address available on request)